That makes a lot of sense! I recently interviewed several great creators on this exact topic and they all echoed similar ideas - although it's easy to fear that someone else has done it better, oftentimes they really haven't, and they'll never have your own unique perspective.
One challenge is that it takes repetitions to get good enough that you can even bring your ideas to life, and many people don't push through this (Ira Glass "taste gap").
A good reminder that signup is a surprisingly rich target.
>Every row has the same name: " Dene Hemen! 5K Lira Bonusunu Yakala" — Turkish for "Try it now! Grab the 5,000 Lira bonus." Casino spam.
>Each registration fired a verification email. 55K signups = 55K attempted sends to fake addresses — the kind of bounce storm that gets a sending domain blacklisted.
I'd be surprised if the email addresses were entirely fake - it doesn't make sense to advertise to just the website developer. It seems more likely that this spammer is targeting real email addresses from some dump (QQ is especially prone to this, since you can target random QQ ID numbers and get a lot higher of a hit rate).
While I understand that not every business wants automation on their site, I know some businesses are totally open to it. But from a technical perspective, it's very difficult to allow well-behaved browser automation while still blocking abusive bots. Web Bot Auth gives website owners / security vendors a lightweight way to allow providers like Intuned.
I help run a tech/AI meetup in San Francisco - during the initial post-Covid period we often hit capacity limits since there wasn't much else going on.
But since late 2024 into 2025, meetups are extremely back in fashion here. Every day of the calendar has multiple meetups and it's impossible to avoid conflicts, so attendance rate can vary wildly.
It's just like a parallel of tech venture capital, where missing the next big thing is far more costly than making a wrong bet. No wonder we see herding in tech investments as well.
I remember in 2021 or so there was a startup doing 20 minute grocery delivery in SF, $50 off on your first order.
I got some really nice steaks for free and the delivery actually arrived via motorbike in 10 minutes. They must have had delivery drivers waiting with their own inventory or something. Anyways, the VC funding dried up and the company was gone a few months later.
Yeah, I had the same question myself. I think that's what you would want to do to make it airtight (plus some amount of rate limiting or flagging for devices that are part of dedicated device farms).
But even if not, there's still value in raising the barrier to entry. For example, you can buy 1000 reCaptcha solves for $1-2 from various captcha-solver services. And yet that $0.001-per-request fee does discourage mass-scale bot attacks.
This is generally true of every application that handles sensitive data. Unless you explicitly clear that memory, it's likely to hang around forever.
For example, here is a 2019 writeup from KeePassXC with similar notes: https://keepassxc.org/blog/2019-02-21-memory-security/ - even though they explicitly clear sensitive data, there is still a window of opportunity.
During my time working on confidential computing, we had a variety of demos showing similar attacks against lots of different datastores, scripts, etc. That's just how computers work and your options are very limited if this is part of your threat model (imo just confidential computing and, if you can handle the performance hit, fully-homomorphic encryption).
I see it as no different from the previous generation of consumer startups burning money - as Derek Thompson wrote,
> ...if you woke up on a Casper mattress, worked out with a Peloton, Ubered to a WeWork, ordered on DoorDash for lunch, took a Lyft home, and ordered dinner through Postmates only to realize your partner had already started on a Blue Apron meal, your household had, in one day, interacted with eight unprofitable companies that collectively lost about $15 billion in one year.
If I understand correctly, threat model here seems to be to protect against accidental issues that would impact performance, but doesn't cover malicious actor.
For example, Sketchy Provider tells you they are running the latest and greatest, but actually is knowingly running some cheaper (and worse) model and pocketing the difference. These tests wouldn't help since Sketchy Provider could detect when they're being tested and do the right thing (like the Volkswagen emissions scandal). Right?
<first two letters + last four>@twilio.com